Please note: all guidance and information contained in this post was correct at the time of publishing, but may now be out of date.

Schools Under Attack

Jun 16, 2021 | Schools

There is a concerning rise in cyber attacks against schools, to the point that an educational establishment is more likely to suffer a cyber security breach than the average business in the UK. 58% of highschools and 78% of further education colleges identified breaches or attacks in the last 12 months compared to 39% of all other businesses. Cyber attacks against schools can take many forms, the most common attack begins in the form of a phishing email, but threats can also include malware from bogus websites and downloads, ransomware attacks and Denial of Service attacks.

In August and September 2020, following a spike in ransomware attacks on UK schools, colleges and universities, the National Cyber Security Centre (NCSC) issued an alert to the education sector. Since late February 2021, a further increased number of ransomware attacks have affected education establishments in the UK, and the NCSC has updated the alert and issued specific guidance for schools. Paul Chichester, Director of Operations at

 the NCSC, is quoted on their website,  “Any targeting of the education sector by cyber criminals is completely unacceptable. This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted.”

Most schools pride themselves on prioritising student safe-guarding and data protection. Cyber security is the third prong in that triad of school security and one that crucially underpins the other two. Improving a school’s cyber security will help create an overall culture of security within the school. In 2021, the Government cyber security breaches survey found a third of schools that suffered a breach lost control of their systems, data or money. Even if there was no material loss following an attack, the majority of schools had to allocate time consuming staff resources to deal with the breach.

Over the last year, through the pandemic, teachers have had to quickly adapt to online learning and remote teaching, sometimes with very limited or make shift resources. All the challenges this has brought has pushed cyber security to the very forefront for every school. The breaches survey found that more than 9/10 of all schools, colleges and universities say that cyber security is a high priority for senior managers and governors, however only 7% of primary schools and 30% of secondary schools have heard of Cyber Essentials. With this in mind, let’s talk about Cyber Essentials.

What can you do to secure your school against cyber attacks?
Cyber Essentials is a simple and effective Government backed scheme that organisations of all sizes can use to help protect themselves against most internet-based threats. The scheme is particularly useful for schools as there is now guidance and support available, tailored specifically towards the education sector.

Most cyber attacks are untargeted and use commodity tools to attack large amounts of devices, services and users at the same time in an indiscriminate way. Most cyber attacks are made up of repeated stages that are probing for further information or leads that can lead to a more targeted attack. These untargeted attacks exploit basic weaknesses that can be found in many organisations such as poorly configured firewalls, software that hasn’t been patched and legacy computer systems that are no longer supported. Cyber Essentials focuses on the five technical controls that have been proven to close the security gaps that up to 80% of cyber attacks depend on. 

What is Cyber Essentials?

Cyber Essentials works as a verified self-assessment. Organisations log onto a secure portal to answer a series of questions, a senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.

The questions are based around the scope of the school to be included in the assessment, the staff and governors, devices, software, access control, secure configuration, security update management, firewalls and routers, and malware protection.

The preparation and process of getting certified to Cyber Essentials will give a school or college a clear picture of their cyber security and an opportunity to improve.

The cost of certification is £300 + VAT


Cyber Essentials guide to using a third party IT provider
If you are an educational establishment that uses a third party provider to look after your IT, there is guidance available on the IASME website, for you to be able to choose a company that is capable of delivering Cyber Essentials to your network on your behalf. There is a detailed list of questions for you to ask your provider in order to take ownership of the responsibility that remains yours, for your school’s cyber security.

Cyber Essentials free readiness tool to help you get started
If you are a bit lost about where to start, there is a newly developed, free readiness tool which will help you prepare for Cyber Essentials. The Readiness tool will gauge your current level of cyber securityCyber Essentials Education and provide you with an action plan supported with detailed guidance. It operates as an online series of questions that lead you through the main parts of the Cyber Essentials requirements. These questions are designed to help you think about Cyber Security within your school and each question will prompt you to consider a different aspect of security. If there are areas where you need to put more controls in place, you will get a link to guidance about how to make those changes. This readiness tool is the step that comes before taking the Cyber Essentials self-assessment. It will start you on your journey towards becoming Cyber Essentials certified.

Guidance and support documents and webinars for schools
There is a list of guidance documents for schools that are available on the IASME website for you to download and print off if required. These cover subjects such as how to work out the size of your school or the scope of your school, information about the five core controls, and specifications and policies that are uniquely for schools. To help you navigate your way through the different stages of achieving Cyber Essentials, you can refer to a step by step guide. In addition to the guidance and support documents, you will find a list of recorded webinars that address the issues related to Cyber Essentials for schools in video presentation format. These can be accessed from the IASME website or on Youtube.

Help from qualified consultants
Some of the Cyber Essentials self-assessment questions can be difficult to understand if you do not have a technical IT background or if your school has a complex structure. IASME has trained a number of qualified cyber security companies who will be able to help you understand the assessment questions, how they relate to your company and what steps you need to take in order to achieve certification. These Certification Bodies are trained and licensed to certify against the Government’s Cyber Essentials scheme and they are also available to offer consulting services to help you achieve these certifications.

Free Cyber Liability insurance with Cyber Essentials
Around half of further education colleges (49%) report being insured against cyber risks, with a smaller proportion of primary schools (36%) and secondary school (27%) reporting this. When you certify to Cyber Essentials, if you are based in the UK, have funding arrangements of under £20m and include your whole school in the scope of the assessment, you will automatically be eligible for free cyber liability insurance with a total liability limit of £25,000.

Please note, this blog may contain guidance and information that is outdated.

On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements.